#!/usr/bin/env bash
# -*- zh_CN.utf-8 -*-
# @Date    : 2021-05-15
# @Version : v0.1
# @Explain : jumpserver跳板机初始化脚本，初始化ssh配置 关闭root ssh登录 关闭ssh密码登录 关闭dns校验 暂支持centos7, 

# 跳板机公钥
ssh_pub_key=''

checkSystem() {
    if [ ! -f /etc/redhat-release ];then
        echo "系统非centos"
        exit 0
    else
        [ -z "$(grep ' 7.*' /etc/redhat-release)" ] && {
            echo "系统非 centos 7"
            exit 0
        }
    fi
}

checkInit() {
    if [ "$USER" == "jmsadmin" ] || [ "$USER" == "jmsuser" ];then
        echo "请勿使用跳板机使用该脚本."
        exit 0
    fi
    if [ $USER != "root" ] && ! sudo -l |grep -i nopasswd|grep -i all;then
        echo "当前用户没有sudo权限，请确认用户权限"
        exit 0
    fi
    if [ -f ~/.checkInitSshConfig ];then 
        echo "sshConfig 已初始化过，跳过~"
        exit 0
    else
        touch ~/.checkInitSshConfig
    fi
}

addSshKeyFile() {
    [ ${USER} == "root" ] || {
        sudo [ -f /root/.ssh/authorized_keys ] && {
            echo "移走root账户账户下的keyfile"
            sudo chattr -i /root/.ssh/authorized_keys
            sudo mv /root/.ssh/authorized_keys /root/.ssh/authorized_keys.$(date +%F).$(date +%s).bak 
        }
    }
    for i in $(sudo find /home/ -type f -name authorized_keys |grep -vE "/jmsuser/|/jmsadmin/|/${USER}/")
        do
        username=${i#/home/}
        username=${username%/.ssh/authorized_keys}
        echo "移走 ${username} 账户下的keyfile"
        sudo chattr -i /home/${username}/.ssh/authorized_keys 
        sudo mv /home/${username}/.ssh/authorized_keys /home/${username}/.ssh/authorized_keys.$(date +%F).$(date +%s).bak
    done
    if [ -f ~/.ssh/authorized_keys ];then
        cp -arf ~/.ssh/authorized_keys ~/.ssh/authorized_keys.$(date +%F).$(date +%s).bak
        sudo chattr -i ~/.ssh/authorized_keys
    fi
    if [ ! -d ~/.ssh/ ];then
        mkdir ~/.ssh/
        chmod 700 ~/.ssh/
    fi
    
    echo $ssh_pub_key > ~/.ssh/authorized_keys
    chmod 600 ~/.ssh/authorized_keys 
    sudo chattr +i ~/.ssh/authorized_keys
}

initSshConfig() {
    # 删除老的配置
    sudo sed -i -e '/^PermitRootLogin.*/d' -e '/^PasswordAuthentication.*/d' -e '/^UseDNS.*/d' -e '/^PubkeyAuthentication.*/d' /etc/ssh/sshd_config
    # 追加ssh配置
    # sudo echo "# 修改仅允许root 使用key登录" >> /etc/ssh/sshd_config
    # sudo echo "PermitRootLogin without-password" >> /etc/ssh/sshd_config
    # sudo echo "# 修改禁止密码登录" >> /etc/ssh/sshd_config
    # sudo echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
    # sudo echo "# 关闭DNS反查" >> /etc/ssh/sshd_config
    # sudo echo "UseDNS no" >> /etc/ssh/sshd_config
    [ ${USER} == "root" ] && {
        echo "当前仅允许root 使用key登录"
        sudo sed -i "1i # 修改仅允许root 使用key登录" /etc/ssh/sshd_config
        sudo sed -i "2i PermitRootLogin without-password" /etc/ssh/sshd_config
    } || {
        echo "当前禁止root 登录"
        sudo sed -i "1i # 禁止 root 登录" /etc/ssh/sshd_config
        sudo sed -i "2i PermitRootLogin no" /etc/ssh/sshd_config
    }
    sudo sed -i "3i # 修改禁止密码登录" /etc/ssh/sshd_config
    sudo sed -i "4i PasswordAuthentication no" /etc/ssh/sshd_config
    sudo sed -i "5i # 关闭DNS反查" /etc/ssh/sshd_config
    sudo sed -i "6i UseDNS no" /etc/ssh/sshd_config
    sudo sed -i "7i # 开启key认证" /etc/ssh/sshd_config
    sudo sed -i "8i PubkeyAuthentication yes" /etc/ssh/sshd_config
}

checkSshConfig() {
    sudo grep -iE "^PermitRootLogin|^PasswordAuthentication|^UseDNS" /etc/ssh/sshd_config
}

echoSshMessage() {
    sshPort=$(sudo grep '^Port ' /etc/ssh/sshd_config |awk '{print $2}')
    [ -z "${sshPort}" ] && sshPort=22
    echo "===========ssh user port=============="
    echo "User: ${USER}, Port: ${sshPort}" 
}

restartSsh() {
    sudo systemctl restart sshd
}

checkSystem
checkInit
addSshKeyFile
initSshConfig
checkSshConfig
#restartSsh
echoSshMessage